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About This Guide 


Thank you for your interest in Qualys File Integrity Monitoring (FIM). 


Qualys FIM allows you to log and centrally track file change events across your global IT 
assets. All you have to do is install lightweight agents on your assets and set up FIM 
monitoring profiles. We'll help you get started quickly! 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access support information at www.qualys.com/support/ 
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Get Started with Qualys FIM 


File Integrity Monitoring is a highly scalable, centralized solution that reduces the cost 
and complexity of detecting policy and compliance-related changes mandated by 
regulations such as the Payment Card Industry Data Security Standard. 


Refer to our online tutorials 


Just choose Get Started from the help menu and we'll walk you through the steps. Here 
you'll find links to helpful information. 


File Integrity Monitoring DASHBOARD EVENTS INCIDENTS RESPONSES REPORTS ASSETS CONFIGURATION — bh e 
Get Started 


Welcome to Qualys® File Integrity Monitoring pas 


Built on our revolutionary Cloud Agent technology, Qualys FIM logs and centrally tracks file change events across your global IT assets. It's ez Cde 


s ! 
started Account Info 


Resources 


. . Training 
Get started with these quick steps Qualys File tr+- QA 
Monitorin: > PENAS 


Introduction 
About 


~] Install Cloud Agents (using CA) > 


Go to Cloud Agent (CA) to install and activate agents 

for FIM on the systems you want to monitor. Also 

enable FIM in the configuration profile for the 

agents. When you're done, return to FIM and t ; j Related Community Posts 
continue to the next step. - e te E 


Tweets by dqualys 


Configure monitoring profiles > å o 
ualys 
Associate a set of rules with the assets you want to Take me to Qualys Cloud Agent @ A is k; 
monitor (assign directly or use asset tags). Import a iiri 
profile from our Library or create a new profile. Infrastructure solutions: Get 2-second visibility, 
continuous and comprehensive protection, and 
accurate, actionable intelligence at lower and more 
View your events > predictable TCO. qualys.com/solutions/infr 
Check out the events detected on your assets and 
search for specific event details Infrastructure security solutio... 
=h Everything you need to secure 


Steps to start monitoring change events 


Install lightweight agents in minutes on your IT assets. These can be installed on your 
on-premise systems, dynamic cloud environments and mobile endpoints. Agents are 
centrally managed by the cloud agent platform and are self-updating (no reboot needed). 


Configure FIM monitoring profiles to tell us the files you want to monitor and the types 
of changes you want to know about. We provide several profiles in our Library to get you 
started but you can also create your own. 


View your events in one central location. You'll see all events detected across all of your 
assets. Search all of your events in a matter of seconds. 


We'll describe these steps in more detail in the sections that follow. 


Roles and permissions 


You can create users and then assign a role to it to grant access as per the role you define. 


Get Started with Qualys FIM 
Roles and permissions 


Depending on the roles and permissions assigned, the user can perform actions like 
creating, editing, or deleting rules and actions. 


The Administration module is used to create FIM users and assign roles and permissions. 


We have provided some pre-created user roles for FIM. Depending on the role, you get the 
associated set of permissions. 


Note: Users created before FIM version 2.5 will continue to have the same permissions. 


Manager- A user with the Manager role is considered a super-user and has all the available 
permissions. They have full privileges and access to all modules in the subscription. Only 
users with Manager role can create other users and assign roles. 


Note: The Manager user can customize permissions for the FIM User and FIM Manager. 


--FIM User: By default, the FIM user role has permission to FIM Ul Access and Alert Access. 
So, the user with FIM user role can see the rules and actions but cannot create, edit, or 
delete them. 


The default permissions for FIM User role: 


| Role Edit: FIM User Tum help tips: On| Of X% 


| 


Role Details Role Permissions by Modules (2) Remove All 


AM File Integrity Monitoring 


Action Log Y FIM Permissions (1 of 7) 


FIM UI Access 


Create FIM P 
Update FIM Profile 
Delete FIM Profile 

) Link FIM Profile 


Assign assets to Profile 


FIM Profile 


Y Alerting Permissions (1 of 7) 


Edit any Actio 

Delete any Action 

Create, Edit, Delete your own Rule 
O Edit any Rule 


O Delete any Rule 


— <== 


--FIM Manager: By default, this role has FIM Permissions and Alerting Permissions. 


The default permissions for FIM Manager role: 


| Role Edit: FIM Manager 


Role Details 


Action Log 


Cancel 


Role Permissions by Modules (14) 


File Integrity Monitoring 


FIM UI Access 

Create FIM Profile 
Update FIM Profile 
Delete FIM Profile 

Link FIM Profile 

Assign assets to Profile 


Activate FIM Profile 


Y Alerting Permissions (7 of 7) 


Alerting Access 

Create, Edit, Delete your own Action 
Edit any Action 

Delete any Action 

Create, Edit, Delete your own Rule 
Edit any Rule 


Delete any Rule 


Tum help tips: On| OF % 


Remove All 


Remove 


Get Started with Qualys FIM 
Setting up asset tags (optional) 


Note: If the user is assigned a role with no Alerting Access permission, the user will not 
see the Responses tab on the FIM UI. 


Role Edit: FIM User 


Edit Mode Edit permissions for this role 


Role Details 


[ Delete FIM Profile 
C Link FIM Profie 
Cl Assign assets to Profile 


C Activate FIM Profile 


Y Alerting Permissions (0 of 7) 


(Alerting Access 


Ci Crete, Edit, Delete your onn Action 


O Creste, Edit, Delete your own Rule 
O Edit any Rule 


O Delete any Rule 


Tum nep ups: On| Om e 


File Integrity Monitoring 


DASHBOARD EVENTS INCIDENTS REPORTS ASSETS CONFIGURATION 


Setting up asset tags (optional) 


Setting up asset tags using AssetView helps you automate file integrity monitoring using 
FIM. You can avoid assigning configurations manually to each asset by adding asset tags 
to the required configurations - FIM monitoring profiles and CA configuration profiles. 


We recommend you read these tips on configuring FIM monitoring profiles to help you 
with deciding how to assign tags to your assets. 


Get Started with Qualys FIM 
Setting up asset tags (optional) 


How to create tags 
Select AssetView from the module picker. 


Then go to Assets > Tags and click New Tag to add tags for your FIM assets. You can use a 
single tag or multiple tags to mirror your production configuration. 


AssetView {v 


Dashboard Assets Templates 


‘= AssetView Assets 


Search Results Actions (1) 


<- Start here 


Filter Results ia Business Units 


Quick Filters Cloud Agent 


RRE de af FM Assets 
E in scope * FIM Assets - Linux 
[E] Favorite 


* FIM Assets - Windows 


Not interested in tags? No problem. You can manually assign individual assets to your 
profiles. 


Cloud Agent Installation 


Cloud Agent Installation 
Creating an activation key 


You'll need to install a cloud agent that's been activated for FIM on each asset you want to 
monitor for file integrity. You’ll install and manage agents using Qualys Cloud Agent (CA). 


Let’s get started! 
Select Cloud Agent (CA) from the module picker. 


Creating an activation key 


Create an activation key. Go to Activation Keys, click the New Key button. Give it a title, 


provision for the FIM application and click Generate. 


New Activation Key Turn help tips: On 


Create a new activation key 


An activation key is used to install agents. This provides a way to group agents and better manage your account. By default 
this key is unlimited - it allows you to add any number of agents at any time 


Title My FIM Key 


Select | Create 


Provision Key for these applications 


Vulnerability Management Policy Compliance 
288 Licenses Remaining 288 Licenses Remaining 


| New Activation Key Turn help tips: On |Off % 


New activation key generated successfully 


Give your key a name and add tags to easily find agents installed using this key. We'll associate the tags to the agent 


hosts. 
Activation Key o 
Key Type Unlimited key $ 2 
A Get Windows or Linux 
i 
j Installer 
Installation Requirements d 
1 
y 
MÍ Windows Microsoft Windows Client), z = 
MA (exe) 78632164 Microsoft Windows Server `s, Install instructions 
53 
Red Hat Enterprise Linux 
CentOS 
Pinus 64 us i i 
(rpm) A pen: Install instructions 


SUSE Enterprise Linux 
Amazon Linux 
Oracle Enterprise Linux 
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As you can see you can 
provision the same key for 
any of the other applications 
in your account. 


Pick either Windows or Linux to get install instructions and download the installer. 


Want to do this step later? 


No problem, just exit the 
wizard. When you're ready, 
return to your activation 
keys list, select the key you 
want to use, then Install 
Agent from the Quick 
Actions menu. 


Cloud Agent Installation 
Activating your agents for FIM 


Review the installation requirements and click Download. 


Install Agents 


You are ready to install the agent. 


Windows Installation Requirements 


Close 


Current agent version: 2.0.2.178 


e Click here for the list of supported operation system versions 


+ To install the agent you must have local administrator privileges on your host 
+ Your host must be able to reach the Qualys Cloud Platform or the Qualys Private Cloud Platform over HTTPS port 
443 


+ Do you have a proxy? Learn more 
Steps to Install the Windows Agent 


Download the agent installer 
File will be saved to your downloads area, as defined by your local system 


Copy QualysCloudAgent-2.0.2.178- 
or a systems management tool. Click here to troubleshoot. 


Copy and paste this command for installation 


1.exe Customerld={qG@0Gin’ 


.exe to the host you want to monitor and run command, or use group policy 


Press CTRL-C to copy 


Download .exe 


Activating your agents for FIM 
Choose “Activate for FIM or EDR or PM or SA” for each FIM cloud agent on the Agents tab. 


O 


Y] 


Enabling FIM in a configuration profile 


Cloud Agent 


Dashboard Agent Management 


& Agent Management 


Saved Searches ~ 


Search... 


test windows 15% E Windows 10 
10:02 0 EEE 


DESKTOP-IV41S9 Add Tags 


test windows 15| Deactivate Agent 


Activate for FIM or EDR or PM or SA 


Deactivate Agent for FIM or EDR or PM or SA 


Configuration Profiles 


Last Activity 


Configuration Downloaded 
Sep 02, 2020 3:12:54 PM 


Configuration Downloaded 
Aug 27, 2020 5:40:34 PM 


Provisioned 
Aug 05, 2020 3:44:24 PM 


You'll run the installer on 
each host from an elevated 
command prompt, or use a 
systems management tool 
or Windows group policy. 


Your agents should start 
connecting to our cloud 
platform. 


Go to the “Configuration Profiles” tab, create a new profile or edit an existing one. Walk 
through the profile creation wizard. When you get to the FIM tab: 
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Cloud Agent Installation 
Enabling FIM in a configuration profile 


1) Toggle “Enable FIM module for this profile” to On. This is required for FIM event data 
collection to occur. 


2) Configure when events are transmitted to the Qualys Cloud Platform. Defaults are 
provided, so this step is optional. You can configure values for event log size, threshold 
time, disk usage. 


(FIM settings are available only when FIM is enabled for your subscription). 


Tip - We recommend you set up asset tags for your FIM assets using AssetView. This 
makes it easy to associate FIM assets with a CA configuration profile and a FIM monitoring 
profile - just apply the same FIM tags to these profiles. 


Configuration Profile Creation Turn help tips: On| Off % 


Step 9 of 12 ^ File Integrity Monitoring Configuration 


1 General Info Y Enable FIM module for this profile ED @ 


2 Blackout Y 


Windows Configuration 


These settings define which artifacts are collected by the agent 
3 Performance 


Max event log size* e 1024 KB (10 - 10240) 
Payload size to transmit to platform 


4 Assign Hosts oS 


5 Agent Scan oS 
Merge Payload threshold time* 300 secs (30 - 1800) 
6 VM Scan Interval Y Maximum time between FIM payloads sent to the server 
7 PC Scan Interval Y Maximum disk usage for FIM Data* 300 MB (100 - 2048) 
Maximum disk usage for FIM Data 
8 SCA Scan Interval Y 
O FIM Data Collection Interval* 360 Min (240 - 43200) 
The time lapse between the completion of the previous scan and the start of the next scan 
EDR 
PM Scan Interval is supported for only for AIX cloud agent 


Cancel Previous | 


Note: The Data Collection Interval configuration is applicable only when you configure a 
cloud agent for FIM on AIX. 


Events are transmitted to the Qualys Cloud Platform when either of the following occurs: 


- FIM event log reaches the maximum specified size 
- Payload threshold time is hit 
- Disk usage for total FIM data on the agent reaches the maximum specified size 


What’s next? Your assets will appear in Qualys FIM on the Assets list. Next we’ll describe 
how to create FIM monitoring profiles for your assets. 
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FIM Monitoring Profiles 
Best practices for creating profiles 


FIM Monitoring Profiles 


The FIM monitoring profile is where you'll tell us the files you want to monitor and the 
types of changes you want to know about. We provide several profiles in our Library to get 
you started but you can also create your own. 


Best practices for creating profiles 


Configure as many profiles as needed for different situations, and apply multiple 
profiles to a single device. For example, you may want to configure profiles for these 
objectives: 


- Monitor OS critical binary and configuration data 
- Monitor application data 


- Monitor rights and permissions database or log files 


- Monitor application critical binaries 


Define Windows and Linux profiles separately. We don't currently support defining OS 
version subsets to a profile. Be very granular in assignment of profiles to assets to prevent 
getting more events than intended. For example, let’s say you have a Linux profile for 
CentOS and a Linux profile for Ubuntu and assign each a tag that contains both operating 
systems. Both profiles will be monitored for and if there are overlapping settings you could 
get more events than intended. 


After creating a monitoring profile you must activate it to enable change detection. You 
can deactivate a profile at any time to suspend monitoring for that profile. 


Creating a FIM monitoring profile 
Choose File Integrity Monitoring (FIM) from the module picker. 


We provide several profiles in our Library to help get you started. Our out of box OS based 
profiles include pre-defined monitoring rules. 
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FIM Monitoring Profiles 
Creating a FIM monitoring profile 


Go to Configuration > Library, select an OS specific profile and choose the Import to 


Profiles from the menu provided. 


Configuration Profiles 


PROFILE TITLE 


PDATED 


PCI-DSS Lightweight Monitoring Profile - Wir * 
Version 2.0 


Comprehensive Monitoring Profile for Windo! view Details 
Version 6.0 


Quick Actions {v 


Import to Profiles 


Minimum Monitoring Profile for Linux 
Version 2.0 


a month ago 
Created: Mar 04) 


a month ago 
Created: May 03 


a month ago 
Created: Jan 18, 


Choose whether to import 
the profile locked or without 
restrictions. Tip - If you pick 
No Restrictions you can edit 
the profile once imported 
(on the Profiles tab) 


You can also create your own profiles. Click Create New Profile on the Profiles tab. 


Configuration Profiles MEJO 


Categories: All ¥ Status: All ¥ Contains text search... 


O t J) v Create New Profile 


Provide basic profile details (name, operating system, category). Keep in mind - you’ll need 
to create separate profiles for Windows and Linux operating systems. 


< Create FIM Monitoring Profile 


STEPS 1/3 
Profile Details 


O Profile Details 
Profile Name * 


3 Assign Assets 
Operating System * 


Linux 


2 Rules Lightweight Monitoring Profile for Linux 


Category * 


PCI 


Description 


File Integrity Monitoring (FIM) helps to detect changes in the system and business- = 
specific files. The Lightweight Monitoring Profile for Linux includes files and il 
directories such as system and application executable files, audit files, configuration 

and other sensitive files. It ensures effective noise reduction by including only the = 
extremely critical files and directories that must be monitored for unauthorized 


E = 1979/2500 characters remaining 


Note: FIM allows registry monitoring only for Windows assets. Hence, Select Operating 
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FIM Monitoring Profiles 
Creating a FIM monitoring profile 


System as Windows when you wish to add the Registry Key and Registry Value rule types. 


Add one or more rules to the profile to tell us what you want to watch for. Go to the Rules 
section, click Add New Rule and provide rule details. 


When defining a rule: 
(1) choose a rule type (File or Directory) and provide the full path to the file/directory. 
(2) select the actions that should trigger events. 


(3) click Save Rule to add the rule to the profile. 


< Create New: Monitoring Profile Rule 


Rule Details 


Rule Name * 


Rule- 8 


Description 


Used by system administrators when installing software locally. 


Section 


Configuration Files == 


Monitoring Rule Parameters 
Rule Type Severity 


Directory Severity 3 


Directory Path * 


/usr/local/sbin/ 


Depth 
3 


Monitor the directory structure for. All 
Directory Name Changes EZ] Directory Removal 
v| Changes to Security Settings Directory Creation X 
Monitor files within the directory structure for All 
Name Changes File Content Changes 
Y | File Removal \v] File Creation 
Y] Changes to Security Settings < 


Note: Events get generated for FIM assets on AIX even if you do not select the File 
Removal and Directory Removal check boxes. 


If you choose Rule Type as Registry Value, then in the Value Path field, add the registry 
value name to be monitored. 


Depth: applicable to both directory or key. 
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FIM Monitoring Profiles 
Creating a FIM monitoring profile 


If you choose Directory/Registry Key as the Rule Type, you can click Advanced Options to 
include or exclude specific files/directories within that directory. 


Advanced Options A 
Filter: 1 Delete Filter 
Type Targeting 

Include v Files v 


Please enter relative path(s) here: 


/usr/local/sbin/ | *.log Delete 


Add another path 


New Inclusion / Exclusion Filter + 


You can group the rules in sections. Create sections to group your monitoring rules. Go to 
the Rules tab and click New Section. 


Note 


Itis mandatory for activated profiles to have at least one Rule or a Section with a rule in it. 
We show an error message if you try to 1) activate a profile that has no rule or section with 
a rule in it, 2) delete the only rule in the profile, and 3) remove the only section with rule. 


<— Edit FIM Monitoring Profile 


Edit Mode 
Rules 
Profile Details 
Rules 
Assign Assets RULE NAME Rule ATH R 
Section 


Y Open Rules 


Add assets to the profile. You can select individual assets in your account or assign asset 
tags in order to monitor all matching assets automatically. 
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FIM Monitoring Profiles 
Creating a FIM monitoring profile 


We recommend you to create asset tags and assign the assets tags to profiles if the 
number of assets to be monitored in the profile exceeds more than 50 assets. 


O Qualys. cloud Platform 


<— Create FIM Monitoring Profile 


Edit Mode 
Profile Details 


Assign Assets 
Select the asset: 


's you want to monitor using this profile 
Rules 


Assign Assets 


[debian x [fim | debianto x 


Select asset tags for this profile. Hosts that have [Any v | of the tags will be included. (Tt 


To specify the assets to be included in the monitoring profile, use the Any or All option 
from the drop-down list. 


The Any condition ensures that an asset is considered if it is included in any of the 
specified asset tags. Whereas, the All condition considers an asset only if it is included in 
the scope of all the specified asset tags. 


For example, you have two tags - 'HR_dept_Assets’ and 'Finance_dept_Assets', and three 
assets in your scope - Asset1, Asset2, and Asset3. The 'HR_dept_Assets' tag is assigned to 
Asseti and Asset2, and the 'Finance_dept_Assets' tag is assigned to Assetl and Asset3. 


You select the Any condition and then add the 'HR_dept_Assets' and the 
‘Finance_dept_Assets' tags for the profile you are creating. The profile rules will be applied 
to Asset1, Asset2, and Asset3, because an asset included in any of the specified tags will 
be included in the manifest. 


You select the All condition and then add the 'HR_dept_Assets' and the 
‘Finance_dept_Assets' tags for the profile you are creating. The profile rules will be applied 
to Asset1 only, because only Asset1 is included in both the tags that you have specified. 
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FIM Monitoring Profiles 
Activating a profile 


Activating a profile 


Activate your profile. New profiles are Inactive to start. Select the profile in the list and 
choose Activate to start using it. 


Configuration Profiles MEAN QUO Actions Y 
View | 
Categories: All ¥ Status: All ¥ | Contains text sea = 50 profiles 
Edit 
Delete 
PROFILE NAME STATUS LAST UPDATED CATEGORY ASSETS TAGS 
Cloned profile-Clone Section 2 17 hours ago PCI 3 3 E 
Linux Profile Created: May 28, 2020 


Deactivating a profile 


As mentioned earlier you must activate a profile to use it for monitoring. From the Profiles 
list, simply choose the action you want to take from the Quick Actions menu. Activate a 
profile to use it for monitoring; Deactivate a profile to suspend it from monitoring. 


Configuration Profiles METAN 
Quick Actions Y 

Categories: All w | Status: All w | Contains textseg View = 50 profiles 

Edit 

Clone 
PROFILE NAME Delete STATUS LAST UPDATED CATEGORY ASSETS TAGS 
profile3_LinuxFor2004 {Active | 15 days ago PCI 0 1 
Linux Profile Created: Aug 17, 2019 


Cloning a profile 


You can copy a profile along with its rule. Select the required profile and from the Quick 
Actions menu click Clone. 


Configuration Profiles METE) 
Quick Actions Y 


Categories: All ¥ | Status: Ally | Contains textsee View = 50 profiles 

Edit 
PROFILE NAME Delete STATUS LAST UPDATED CATEGORY ASSETS TAGS 
profile3_LinuxFor2004 id T Active | 15 days ago Pol 0 1 
Linux Profile Created: Aug 17, 2019 


The Clone FIM Monitoring Profile page is displayed and the Profile Name is prefixed with 
“Cloned profile”. You can change the name, add Category and Description. Click Create to 
clone the profile along with its rules. 


FIM Monitoring Profiles 
Deleting a profile 


Note: You cannot change the Operating System of the cloned profile. 


E pelone FIM Monitoring Profile 


STEPS 1/3 
Profile Details 


(1) Profile Details 
Profile Name * 


2 Rules | Cloned profile-Lightweight Monitoring Profile for Linux 


3 Assign Assets 


Operating System* 


[ Linux 


Category* 
E : 


Description 


| File Integrity Monitoring (FIM) helps to detect changes in the system 
and business-specific files. The Lightweight Monitoring Profile for 
Linux includes files and directories such as system and application 
executable files, audit files, configuration and other sensitive files. It 
ensures effective noise reduction by including only the extremely 


2109/2500 characters remaining 


Select the cloned profile from the list and from the Quick Actions menu, click Edit. 


File Integrity Monitoring v DASHBOARD EVENTS INCIDENTS RESPONSES REPORTS ASSETS CONFIGURATION 


Configuration Profiles Library Quick Actions: Y 


View 


Delete 


Categories: All y | Status: All Y Contains text sed 


50 Profiles 


PROFILE NAME 


CATEGORY ASSETS TAGS 


Activate 


Test1 e a few seconds ago Alerting 0 0 A 
sil Created: Jun 02, 2020 


On the Rules page, edit the rules if required and click Next. On the Assign Assets page, add 
tags, assets, and click Save. To use the profile for monitoring, activate the profile. 


Deleting a profile 


Select the profile from the list and click Delete from the Quick Actions menu. Then click 
Yes on the Delete Profile window. 


Note: You can delete an active profile if they do not have tags or assets associated with it. 
However, to delete active profile that tags or assets associated with it, you must deactivate 
the profile first. 
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FIM Monitoring Profiles 
Assigning a profile to an asset 


Assigning a profile to an asset 


Tip - If your profile has asset tags defined then there's nothing you need to do. As long as 
the new asset has a tag that matches a tag in the profile it will use the profile 
automatically. 


When you add a new asset you can assign a monitoring profile to the asset by clicking on 
the Actions menu. 
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Windows Registry Integrity Monitoring 


Windows Registry Integrity Monitoring 


Windows registry provides rich information about the installed application and a store to 
persist the data. 


Compromised integrity of the Windows Regis a valuable indicator of the presence of 
malware or the system is compromised. 


As Security Analysts, we need to have the capability to monitor the changes to the registry 
and determine if the integrity is compromised. Compliance standards such as PCI DSS, 
NERC CIP (CIP 010), FISMA, SOX, NIST (SI7), HIPAA, CIS controls, and GDPR mandates to 
have integrity monitoring solutions deployed on critical systems to be compliant. 


Once an asset is installed from the cloud agent, activate the asset. You can view it under 
the Asset tab after activation. 


From the Configurations tab, you can create a monitoring profile. For more information on 
creating a profile, refer to Creating a FIM Monitoring Profile. 


© Qualys. Cloud Platform 


File Integrity Monitoring DASHBOARD EVENTS INCIDENTS RESPONSES REPORTS ASSETS CONFIGURATION 


Configuration Profiles METE) 


Quick Actions Vv 


Categories: All y | Status: All ¥ | Q 
View 


Clone 


Delete 


automationProfile_1615879821201 Active 8 hours ago PCI 
Windows Profile Activate Created: Mar 16, 2021 

test1 Import Registry Rules 9 hours ago HIPAA 
Windows Profile Created: Mar 16, 2021 
ImportProfile_usingV3Api_1615851019001 E 16 hours ago HIPAA 
Windows Profile de Created: Mar 16, 2021 


While creating the rule, select Rule Type as Registry Key or Registry Value. 
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Windows Registry Integrity Monitoring 


QuaysGuaro'Exrress Sur: 


€ Create New: Monitoring Profile Rule 


Create Section 


Monitoring Rule Parameters 
Rule Type 


Registry Key Severity 3 


Directory 


Registry Key 


Registry Value 


n 
5 
2 


Selecting Registry Key as the Rule type: 


Mention the Key path that you want to monitor. For example: 
HKEY_LOCAL_MACHINE\SOFTWARE\<keyname> 


Select the other attributes which you want to monitor and Save the rule. 
Selecting Registry Value as the Rule type: 


Mention the value you want to monitor. For example: 
HKEY_LOCAL_MACHINE\SOFTWARE\<valuename> 


Two attributes are available for the user to select: Value Removal (Deletion) and Value 
Write Changes (Content Change). 


Also add data for Key Path and Value Path. Where in Key Path, enter the registry base path 
to be monitored and in Value Path, enter the value to be monitored 


For Registry Key Full Path - 


HKEY_LOCAL_MACHINE and HKEY_USERS, only these two hives are supported for 
Registry monitoring. 


For Registry Value Name - 


Do not use these special characters /"<>|*? in registry value name. Special characters 
allowed are [] () () 


Advanced Filters for Key - 
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Windows Registry Integrity Monitoring 


Do not use these special characters /"< > | in key paths. 


Although it can contain characters and numbers including spaces, slashes, commas(,) and 


1180 
Registry Keypath should not start or end with a slash (/). 


Advanced Filters for Value - 


Do not use these special characters /" < > |in file names. Special characters allowed are | | 
DO*?" (2 is a single character wildcard, and * is a multi-character wildcard). 


Can contain characters and numbers including spaces and commas(,). 


Rule Details 


Create Section 


Monitoring Rule Parameters 


Registry Key Severity 3 


Advanced Options A 


New inclusion / Exclusion Finer -f 


The newly created profile will appear as Inactive by default, Activate the profile. 


Note: To activate a profile, user must have at least one rule defined. 
Instead of manually creating the rules, you can also import the rules from the library 


available. 
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Windows Registry Integrity Monitoring 


- Select the option to Monitor Registry from the Rules tab and all the rules available 


in the library will be imported to your profile. 


< Create FIM Monitoring Profile 


Edit Mode 


Profile Details 


Actions (0) 
Rules 


Assign Assets 


Rules 


nn 


Don't forget to Save the profile after you select the option, as only after saving the profile 
your changes will be reflected. 


- You can also select Import Registry Rules from the drop-down available in the Profiles 


tab. 


© Qualys. Cloud Platform 
File Integrity Monitoring ~ 


Configuration 


Categories: All ¥ Status: All v 


Create New Profile 


PROFILE NAME 


Windows Profile 


Prof 


DASHBOARD EVENTS INCIDENTS RESPONSES REPORTS ASSETS 


Quick Actions 


v 
View AAN 


A 


automationProfile_1615879821201 


Edit 
Clone 


Delete 


Deactivate STATUS 


Import Registry Rules | Active — 


LAST UPDATED CATEGORY 


8 hours ago PCI 
Created: Mar 16, 2021 


CONFIGURATION 


1-50 of 653 


ASSETS 


7 


For the profiles where the “Monitor Registry” check-box is already selected, the Import 
Registry Rules option will be disabled. 


- You can also import the “Monitoring Profile for Windows Registry Settings” from the 


Library tab. 
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Windows Registry Integrity Monitoring 


© Qualys. Cloud Platform 
File Integrity Monitoring + DASHBOARD EVENTS INCIDENTS RESPONSES REPORTS ASSETS 
Configuration ESA Library 


Q Supports only text search 


PROFILE TITLE LAST UPDATED CATEGORY 
z Monitoring Profile for Windows Registry Settings R f a day ago PCI 

Version 1.0 Quick Actions Y | Created: Mar 15, 2021 

Monitoring Profile for Apache Tomcat on Windows | view Details 2 months ago PCI 


Monitoring Profile for Windows 
Version 2.0 Created: Jan 12, 2021 


Version 1.0 | Created: Oct 01, 2019 
Import to Profiles 
q 
Wy 2 months ago PCI 


Once manifest is generated, it will start reporting the changes. 


Any kind of activity that is marked to be monitored will be reported. You can view the 
events on the UI. 
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File Reputation Status 
Automatic incident creation for malicious events 


File Reputation Status 


FIM enables users to know reputation status of files. Based on the file content hash, file 
reputation status is derived. 


Reputation status of files can be seen in Events Details page for Events of type Create and 
Content. The source of Event Enrichment for File Reputation Status is Centralized Qualys 
Threat DB. 


The file type can be any among: 
MALICIOUS/SUSPICIOUS/KNOWN/UNKNOWN/UNAVAILABLE. 


Event Filtering is possible using the search tokens. 


For Windows, it is applicable for PE files only and for Linux, it is applicable for all types of 
files. 


Go to Events Details page to view the events in detail. 


f 
| © Qualys. Expr: 


| < View Details: AUTOCORRELATION_TRUSTO1 


| 
H Event Alert: File Create 


<= 


1 autocorrelation_trustO 


d On: 15 days ago Mar 10, 2021 at 7:19:36 PM 


my: PCI 
r: root 


File Create 


th: /etc/userFolder_sk/autocorrelation_trustO1 


ss: /ust/bin/touch 


autocorrelation_trust01 w 


Automatic incident creation for malicious events 


When FIM identifies the type of PE file reputation as Malicious in events details page, an 
incident is automatically created with below disposition details : 


- Type: Automated 
- Status: Open 
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File Reputation Status 
Automatic incident creation for malicious events 


© Qualys. Cloud Platform 


File Integrity Monitoring > 


Incidents Al 


DASHBOARD EVENTS 


I Incidents MUGEN ES 


INCIDENTS 


RESPONSES REPORTS ASSETS CONFIGURATION 


2016 


>< status: “OPEN' 


621 


ee Assigned to me Pending 
Total Incidents 
621 621 

APPROVAL STATUS 1-50 of 621 
APPROVED 10 
POLICY_VIOLATI.. 3 CREATED NAME TYPE STATUS ASSIGNEE DISPOSITION CHANGE TYPE APPROVAL STATUS 
NA 1 

Mar 3, 2021 Defau... DEFAULT OPEN quays_fa 

4:27:24 PM Approv... 
CHANGE TYPE i 
MANUAL 9 Mar 3, 2021 Malici... AUTOMATED OPEN SYSTEM Malware Compromise Policy Violation 
COMPROMISE 4 2:26:16 PM Approv... 
ATUED 1 


This can be reviewed and appropriate action can be taken by the reviewer to close it. 


Click on the drop-down arrow next to the Name of the incident to review it. 


Select Start Review option to take required action the incident. 


© Qualys. Cloud Platform 


File Integrity Monitoring > 


Incidents 


977 


Total Incidents 


STATUS 
OPEN 621 
CLOSED 345 


REOPENED 


All Incidents 


Mar 3, 2021 
2:26:16 PM 


DASHBOARD EVENTS 


Correlation Rules 


Q Search for incidents 


Assigned to me 
v 977 


Quick Actions 


| View Details 


Edit 
Create In 


CREATED cj TYPE 


STATUS 


Generate Report AUTOMATED OPEN 


INCIDENTS 


Pending 
621 
1-50 of 977 B 
ASSIGNEE DISPOSITION CHANGE TYPE APPROVAL STATUS 
SYSTEM Malware Compromise Policy Violation 


RESPONSES REPORTS ASSETS CONFIGURATION 


de 
o 
K 


Incident review screen appears with severity and other important parameters that 


are required to take review actions. 


Click Next and select the appropriate approval status from the options available 


> click Finish to submit. 


Other fields on the approval form will be auto populated with the following details: 


- Disposition: Malware 


- Change Type: Compromise 


File Reputation Status 
Automatic incident creation for malicious events 


- Approval Status: Policy Violation 


- Comment: Malicious change detected on the system 


Approval * 


===> | 


Approved 


Unapproved 


Change Type * 


Compromise 


Approval Status * 


Policy Violation 


Comment * 


| Malicious change detected on the system 


4 
2461/2500 characters remaining 


After you finish reviewing, the status appears as Closed on the Incident details page. 


You can also perform other actions from the same drop-down, such as: 
- View Details 


- Generate Report 
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File Trust Status 


File Trust Status 


FIM enables users to know whether a file was published by Trusted Source. Based on the 
file content hash, File Trust status is derived. 


Trust status of files can be seen in Events Details page for Events of type Create and 
Content. The source of Event Enrichment for File Trust Status is Centralized Qualys Threat 
DB. 


Possible values of trust status are: Trusted and Unavailable. 


- TRUSTED: Indicates the file is published from a trusted source, for example 
Microsoft, Oracle etc. 


- UNAVAILABLE: Status is not available in Centralized Qualys Threat DB. 
Event Filtering is possible using the search tokens. 


For Windows, it is applicable for PE files only and for Linux, it is applicable for all types of 
files. 


Go to Events Details page to view the events in detail. 


| @ Qualys. Express 


| < View Details: AUTOCORRELATION_TRUSTO1 


I 


Event Alert: File Create 


autocorrelation_trust01 

Created On: 15 days ago Mar 10, 2021 at 7:19:36 PM a 
ategory: PCI 

ser. root 


th: /etc/userFolder_sk/autocorrelation_trust01 


autocorrelation_trust01 was Create 
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FIM Assets 
Viewing assets 


FIM Assets 


FIM provides one central location for viewing all of the events detected across all of your 
assets. The Events tab and the Assets tab contain search capabilities, group by options, 
and download options. In the Assets tab you can find all assets impacted by FIM events. 


Use tabs in the Events section to quickly identify: 
(1) All events detected across all of your assets, except ignored events. 
(2) Events waiting to be reviewed. You can choose to ignore events or create incidents. 
(3) Ignored events. 
© Qualys. Express 


File Integrity Monitoring DASHBOARD EVENTS 
2 3 


Events All Events Event Review Ignored 


Note: To add a folder path for file.fullPath and actor.imagePath QQL, user should avoid 
using “\” at the end of the path as it results in invalid QQL while searching. 


Viewing assets 


You can find assets based on the Operating System, Manifest Status, and Agent Status 
using the filters in the left-pane. The Manifest Status, and Agent Status columns also 
displays the time the status is updated. 


File Integrity Monitoring DASHBOARD EVENTS INCIDENTS RESPONSES REPORTS ASSETS CONFIGURATION 20x 
Monitored Assets 
Q Search for assets.. 
58769 Assets that did not send Events 1-50 of 58769 
Total Assets Filter options to 
jg RAIN your results 
ist Microsoft Windows 10 Pro 10. Coud Agent 
MANIFEST STATUS aiid mm 
FIM_MANIFEST.. 247K ndows Agents ned Microsoft Windows 7 Professi. Cloud Agent 
FIM_MANIFEST_. 66.6K 06.58 Last Updated : 12 days ago = 
NO_FIM_MONIT 26.2K 
QUEUED_FOR_M. 10K. WB53 FIM Manifest Assigned river Loader Microsoft Windows 10 Pro 10... Cloud Agent 
“anal rie 16.68 Last Updated: 12dayeago L : 
MT idos 3 g Agent FIM Manifest FIM Events Uploaded Microsoft Windows 7 Professi.. Windows Tag base Cloud Agent 
FIM_MANIFEST_. 1 16.58 Last Updated : 12 190 Last Updated : § days ago 1 more, 
Show less 
atching FIM Manifest Assigned FIM Driver Loaded Microsoft Windows 10 Pro 10... Windows Asset Based ‘Cloud Agent 
OPERATING SYSTEM 3 Last Updated: 12days ago Last Updated: 5 days ago 1 more. = 
at 7 z 7 
TE, ane Agent 1 FIM Manifest Assigned FIMC Running Microsoft Windows 7 Professi. Windows Tag based Coud Agent 
Be A ae 6.58 Last Updated : 12 days ago Last Updated: 5 days ago 1 more. 
Red Hat 85 ask 
Microsoft Winda. azak sother Patching FIM Manifest Assigned FMC Rumning Microsoft Windows 10Pro10. Windows Asset Based Cloud Agent 
Red Hat 20 10K Last Updated: 12daysago Last Updated: 5 days ago 1 more = 
one mple Assigned FIM Diver Unload Failed Microsoft Windows 7 Professi. Windows Tag based Cloud Agent 
AGENT STATUS fated 12 days ago Last Updated: 5 days ago 1 more = 
FIMC_RUNNING 1 nt Sample Microsoft Windows 10 Pro 10.. Windows Tag based Cloud Agent 
FIM.EVENTS UP. 1 dit a 
FIMC STOPPED 1 
FIM_DRIVER_ERR. 1 pao esi gaat 
FiM_DRIVER_LO. 1 ie 
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FIM Assets 
Downloading asset details 


Note: The QQL agentService.status: is not supported for FIM assets on AIX; hence, no data 
is fetched for AIX assets if you use this QQL and the Agent Status column does not display 
any data. 

Manifest Status 

As part of agent-status-core, user will get to know if agent has downloaded the manifest. 


Only after the Agent further applies the downloaded manifest, it comes into effect. After 
downloading the manifest, two additional manifest statuses are displayed for Windows: 


e Manifest applied successfully 
e Manifest application failed 


Clicking View Details in Quick Actions for an asset shows complete information about 
the Asset impacted by FIM. Asset details can also be seen from the Events tab by clicking 
Asset Details for an event. This brings up details of the asset impacted by that FIM event. 


Important: The following manifest statuses are not supported for AIX assets: 
- FIM_MANIFEST_APPLICATION_FAILED 

- FIM_MANIFEST_APPLIED_SUCCESS 

- FIM_MANIFEST_ASSIGNED 

- FIM_MANIFEST_ASSIGNMENT_FAILED 


Assets that did not send events 


You can find assets that did not send events over a particular duration. Select the Assets 
that did not send Events option and from the adjacent drop-down list, select the required 
duration. 


r = - 
| File Integrity Monitoring DASHBOARD EVENTS INCIDENTS RESPONSES REPORTS | ASSETS] CONFIGURATION 20) 


Monitored Assets 


Q search for assets... 


7 


Total Asset 


Assets that did not send Events | Last 12 Hours idi 


Last 12 Hours 
Last 24 Hours 


OPERATING SYSTEM Test Windows Agents FIM Manite — Last2 Days Uploaded Microsoft Windows 7 Professi.. Windows Tag based Cloud Agent 
ed| a day ago 1 more, = 


10.115.106.58 Last Updat 
Microsoft Windo. 1 i Last3 Days 


Microsoft Windo. 1 
Last7 Days 


Downloading asset details 


You can download the asset details in CSV format. The following details are included in 
the report: 


- Asset name 


- Manifest status 
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FIM Assets 
Downloading asset details 


- Agent status 
- Operating System of the assets 
- Profile 


- Tags assigned to the assets 
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FIM Events and Incidents 
Viewing events 


FIM Events and Incidents 


FIM provides one central location for viewing all of the events detected across all of your 
assets. The Events tab and the Assets tab contain search capabilities, group by options, 
and download options. In the Assets tab you can find all assets impacted by FIM events. 


Use tabs in the Events section to quickly identify: 
(1) All events detected across all of your assets, except ignored events. 
(2) Events waiting to be reviewed. You can choose to ignore events or create incidents. 
(3) Ignored events. 
© Qualys. Express 


File Integrity Monitoring DASHBOARD EVENTS 
2 3 


Events All Events Event Review Ignored 


Note: To add a folder path for file.fullPath and actor.imagePath QQL, user should avoid 
using “ V at the end of the path as it results in invalid QQL while searching. 


Viewing events 


You can find events based on event data, file information, monitoring profile, and more. 


File Integrity Monitoring DASHBOARD EVENTS INCIDENTS RESPONSES 


Events All Events Event Review Ignored 


action:"Create” and platform: "Linux” 


62 


Total Events 


PROCESS Group By y 

sftp-server 50 

cp 12 
13 days ago E) Roboto-Medium.ttf.filepart 
12:35:53 PM /etc/Sonali_Test/QCumGenIncidentNavigate-2001202 
13 days ago E Roboto-Thin.ttf.filepart 


12:35:53 PM /etc/Sonali_Test/QCumGenIncidentNavigate-2001 202 
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Searching for events 


FIM Events and Incidents 
Viewing events 


Our search capabilities give you the ability to quickly find events matching certain criteria. 
Here are the steps to search for events. Search for incidents and assets in a similar way. 


Events 


PAPAN 


Total Events 


IPAK 


Total Events 


EVENT ACTION 
Create 
Attributes 
Delete 


Events 


156 


Total Events 


EVENT ACTION 
Attributes 
Create 
Content 
Delete 
Rename 


OPERATING SYSTEM 
Windows 

Microsoft Windo... 
Microsoft Windo.. 


Note 


6.73K 
6.34K 
4.69K 


All Events 


10Feb 12Feb 


14 Feb 


16 Feb 


18Feb 20fFeb 22Feb  24Feb  26Feb 


start typing here 


actor.imagePath 
actor.process 
actor.userlD 
actor.userName 
assetagentid 


asset.agentVersion 


Syntax Help 


actor. process 
Use a text value ##### to define a pro 
Example 

Show events performed by this process 


actor.process: dllhost.exe 


Ml > 


sete enter value to search 


16Feb  18Feb 20Feb 22Feb 24Feb 26 Feb 


ent view your matches 
E 


12 days ago 
3:25:49 AM 


12 days ago 
3:25:49 AM 


12 days ago 
3:25:48 AM 


New folder - Copy (50) - Copy 
\Device\HarddiskVolume2\new updated\New folder - 


New folder - Copy (50) - Copy 
\Device\HarddiskVolume2\new updated\New folder - ... 


New folder - Copy (49) - Copy 
\Device\HarddiskVolume2\new updated\New folder - 


You'll notice the Search field 
above the Events list. This is 
where you'll enter your 
search query. 


Start typing and we'll show 
you the event properties you 
can search like actor 
process, asset hostname, 
profile name, etc. Select the 
one you're interested in. 


Now enter the value you 
want to match, and click 
Search. That's it! Your 
matches will appear in your 
events list. 


Tip - Go to the FIM online help 
for details on search language 
and sample queries. 


Date range for searching events should be less than or equal to 365 Days. That date range 
can be any year to any year, but difference between total number of days should be less 
than or equal to 365 days. 
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FIM Events and Incidents 
Viewing events 


Narrowing your results 


Once you have your search results you may want to organize them further into logical 
groupings. Choose a group by option on the left side. You'll see the number of events or 
assets per grouping. Click on any grouping to update the search query and view the 
matching events. 


File Integrity Monitoring ” DASHBOARD EVENTS INCIDENTS RESPONSES REPORTS ASSETS CONFIGURATION 


Events 


action:”Create” and platform: WINDOWS” 


4.66K 


Total Events 


Select an option to 
narrow your results 


1 Mar 2 Mar 3 Mar 


PROFILE [| | Groupsy:.. y 


Latest Windows 
Windows Profile -... 


USR 3 days ago E) SMSS.EXE-E9C28FC6.pf 


12:39:27 AM \Device\HarddiskVolume2\Windows\prefetch\SMSS. 
DESKTOP-KI3HO... 


DESKTOP-KI3HO... E 3 days ago Local State~RF487862b4.TMP 
NT AUTHORITY... 12:38:09 AM \Device\HarddiskVolume2\Users\Administrator\AppD... 


NT AUTHORITY... 
NT AUTHORITY... 3 days ago e3fd732a-6f8b-4c3b-a0fb-b83536d1625d.tmp 


12:38:09 AM \Device\HarddiskVolume2\Users\Administrator\AppD.. 


PROCESS 3 days ago E telemetry.ASM-WindowsDefault.json.new 
BackgroundTask.. 12:32:05 AM \Device\HarddiskVolume2\ProgramData\Microsoft\Di... 
Svchost.exe 
Chrome.exe 3 days ago utc.app.json.new 

12:31:44 AM \Device\HarddiskVolume2\ProgramData\Microsoft\Di.. 


Grouping assets 


By using the Group By option, you can group similar assets under one list. Group by Assets 
option bring up maximum of 1000 assets without pagination option. 
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FIM Events and Incidents 
Viewing events 


© Qualys. Cloud Platform 
File Integrity Monitoring + DASHBOARD EVENTS 


Event Review Ignored 


Q Search for events 


1.09K 


Total Events 


] Auto_Event_Generator_75472.fim 
C:\EventGenerator\Auto_Event_Generator_75472.fim 


] Auto_Event_Generator_30755.fim 
C:\EventGenerator\Auto_Event_Generator_30755.fim 


aa =) Auto_Event_Generator_35338.fim 
5:38:14 PM C:\EventGenerator\Auto_Event_Generator_35338.fim 


2 months ago 


You can view event details with Asset Name and count of Total Events for that asset. 


© Qualys. Cloud Platform 
File Integrity Monitoring + 


Events Event Review 


Q, Search for events 


Group By: Assets @ ¥ | 


ASSET NAME TOTAL EVENTS 
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FIM Events and Incidents 
Viewing event details 


Saving and managing search queries 


When you are searching for events in the All Events and Events Review tab, you can save 
these searches using the "Save this Search Query" option. Saved searches are available 
under “Manage Saved Searches” option. 


Note: If you cannot see the saved search under the Manage Saved Searches option, press 
F5 or refresh the screen. 


DASHBOARD EVENTS INCIDENTS RESPONSES REPORTS ASSETS CONFIGURATION 


All Events Event Review Ignored 


action: ‘Attributes* Last 30 Days = 


Save this Search Query 
Manage Saved Searches 
13 Feb 15Feb 17 Feb 19 Feb 21 Feb E Create Alert Rule from Search Query 


Create Correlation Rule from Search Query 


Viewing event details 


Clicking Event Details in the Quick Actions for an event brings up the Event Details page. 
This page provides complete information about the FIM event 


File Integrity Monitoring + DASHBOARD EVENTS INCIDENTS RESPONSES REPORTS ASSETS 


Events All Events Event Review Ignored 


X action:"Create” and platform: “Linux” 
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Total Events 


6 Jan 8 Jan 10 Jan 12 Jan 14 Jan 16 Jan 18 Jan 20 Jan 22 Jan 24 Jan 


PROCESS | Group By: 
sftp-server 


cp 


13 days ago Roboto-Medium.ttf.filepart Create 
12:35:53 PM /etc/Sonali_Test/QCumGenincidentNaviga Quick Actions w 


13 days ago Roboto-Thin.ttf.filepart Create 


12:35:53 PM /etc/Sonali_Test/QCumGenincidentNaviga 
Asset Details 


13 days ago Roboto-Regular.ttf.filepart Create 
12:35:53 PM /etc/Sonali_Test/QCumGentncidentNavigate-2001 202... 


Note: The QQLs actor.process, actor.UserID, actor.UserName, actor.imagePath are not 
supported for FIM assets on AIX, hence no data is fetched for AIX assets if you use these 
QQLs and the Actor column does not display any data. 
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FIM Events and Incidents 


Grouping events by filters to get event count 


Grouping events by filters to get event count 


You can view the total count of events by Assets, Operating System, Monitoring Profile, 
Severity and Platform in the All Events tab. To view the count of FIM events by any of the 
filters, go to Events > All Events tab, select a date range and select a filter from Group By 


drop-down. 


File Integrity Monitoring + 


186 


Total Events 


EVENT ACTION 


Security 
Create 
Delete 


Rename 


PROCESS 
sftp-server 
chmod 
rpm 
chown 
cp 

2 more 


DASHBOARD EVENTS 


INCIDENTS RESPONSES 


Event Review Ignored 


Q Search for events... 


REPORTS ASSETS 


CONFIGURATION 


Last 30 Days 


2 Jan 4 Jan 6 Jan 8 Jan 10 Jan 12 Jan 14 Jan 16 Jan 


| Group By 


Assets 


penton yen fim-audisp-plugin.conf 


Monitoring Profile /etc/audisp/plugins.d/fim-audisp-plugin.conf 
report-main.css 
/etc/Sonali_Test/QCumGenincidentNavigate-200 1202. 


main.css 
/etc/Sonali_Test/QCumGenincidentNavigate-2001202. 


8 days ago 
1:02:45 PM 


qx-font.css 
/etc/Sonali_Test/QCumGenincidentNavigate-2001202._ 


8 days ago 
1:02:45 PM 


report-font-face.css 
fetc/Sonali_Test/QCumGenincidentNavigate-2001202 
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18 Jan 20 Jan 


sftp-server 


root 


sftp-server 
root 


sftp-server 


root 


28 Jan 30 Jan 


- 50 of 186 


Sonali Linux Agent 


Sonali Linux Agent 


Sonali Linux Agent 


Sonali Linux Agent 


Sonali Linux Agent 


FIM Events and Incidents 
Ignoring events 


Ignoring events 


Have an event you don't need to track? Ignore it to move it out of your list.Select specific 
events and choose Ignore Events from the Actions menu. Optionally, choose Ignore All 
Matching Events to ignore all events that are currently matching your query for the 
timeframe that you've selected. Ignored events are moved to the Ignored list. Note - You 
may get similar events in the future that will appear in your Events list and you'll want to 
ignore those too. 


File Integrity Monitoring DASHBOARD EVENTS 


Events All Events Event Review Ignored 


19.4K 


Total Events 


EVENT ACTION = 


Attributes 9.86K 

cm ve 

Create 1.63K Ignore All Matching Events 

Delete 1.58K P| er.dat 

ama 730 11:58:34 PM \Device\HarddiskVolume2\Wind 
2 days ago El  ntuser.dat 


PROFILE 11.44-nA DMA \Ravina\ Larddiel/alima\ Wind: 


Did you ignore an event by mistake? No worries. Easily restore any ignored event from the 
Ignored list. 


Correlation rules for incident creation 


We can help you automate the incident creation based on a QQL rule query defined in a 
correlation rule. To help you create correlation rules, FIM provides a Correlation Rule 
wizard. In the wizard, define a query to specify for which events you want to create 
incidents and a schedule to indicate when and how often you want to run the rule to 
create incidents for the events that matched the rule query. 


Through auto correlation rules, incidents will get created when there is an event created 
that matches the Incident criteria. The correlation rule wizard also provides you an option 
to create alerts for the incidents that are created for this rule. 


You can access the correlation wizard from the following pages: 
1) Go to Incidents > Correlation Rules tab. 
2) Go to Events > All Event tab or Events > Event Review tab. Enter a search query in the 


search box and press Enter. Click = menu button next to search box and select “Create 
Correlation Rule from Search Query”. When you create a correlation rule, the search query 
provided on the page is copied to the new correlation rule. 


39 


FIM Events and Incidents 
Creating a correlation rule using correlation rule wizard 


Note: After you upgrade the Cloud Agent to 4.1 and above, the File Path is displayed as 
(c:\directory\sub-directory\file.ext). If all the agents in your subscription are not upgraded 
to 4.1 and above, edit the existing QQL queries to add the new File Path format along with 
the old one. 


3) Go to the Assets tab, select an asset and from the Quick Actions menu select “Create 
Correlation Rule” to create a correlation rule for an asset. When you create a correlation 
rule for an asset, the agent ID of the asset is copied to the new correlation rule. Use the 
operators "and/or" to customize your search query. 


Note: For events with 'reputationStatus' as "MALICIOUS', an Automated Incident will be 
created with below configuration: 


- Disposition = Malware 
- Change Type = Compromise 
- Approval Status = Policy Violation 


- Start review option will be available immediately. 


Creating a correlation rule using correlation rule wizard 


Provide the correlation rule name and description. Enter a rule query. When the rule is 
triggered, the events matching the rule query are picked and added to the incidents. 
Optionally, use the Choose from my saved searches option to select a search query. We 
also provide a Query Library from which you can choose predefined queries. 


Correlation Rule Details 


Rule Name * 


Reviewer quays_fa 


Description 


2000/ 


Rule Query * 


action:Create 


Saved Searches | Queries 


Scheduling a rule 


Next, select the schedule to indicate when and how often you want to run the rule. By 
default, the rule will be run once. Schedule the rule by choosing a date, a start and end 
time. To set a recurring schedule, select Recurring Job check box. You have the option to 
schedule the rule to run daily between a specified time, every week or every month on 
chosen days between a specified time period. 
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FIM Events and Incidents 
Creating a correlation rule using correlation rule wizard 


FIM also supports cross date scheduling. Correlation can start at 10 pm on day 1 and end 
at 2 am on day 2 (effective schedule of 4 hours). If the end time is less than or equal to 
start time, the end time is considered as the time of next day. There is no end date for the 
schedule. User can deactivate or delete a correlation rule to stop creating incidents for the 
rule. 


The scheduler runs every 5 minutes to pick up new jobs. Hence, it is recommended that 
while creating a schedule, you choose a "Start Time" greater than 15 minutes from the 
current time for a job to get picked up. If you choose a Start Time less than 15 minutes, it 
is possible that by the time you have created the rule, the scheduler has already picked up 
the job. In such a case your job will be picked up in the next scheduled cycle. This means 
One Time rule will never run as the time set for running the rule has already passed and if 
itis a Recurring rule, it will run at the next schedule. 


When the correlation rule is run during the scheduled time, FIM will pick up all the events 
that are raised during the scheduled time and that match the search query provided in the 
rule. All these events are then added to the newly created incident. The naming 
convention used for incidents is correlation rule name followed by incident creation date 
and time. Note that you cannot change the Trigger criteria of a correlation rule in the edit 
mode. 


Schedule Management [Y] Recurring Job 
Recurrence 

Weekly 
Start Time End Time 

5:30pm 11:59pm 
On day of the Week 

Ss M i w T PIE S 

Schedule : Repeats Friday from 5.30 PM to 11.59 PM 


Choosing the review options for the auto-created incidents 


Finally, select an approval type to indicate if you want to automate the review process for 
the incident or manually review the incident. For Automated approval type, select a 
disposition category for reporting and classification, choose whether the incident resulted 
from a manual or automated change, mark the incident Approved, Unapproved Change or 
Policy Violation and provide a comment. Click Save to create the correlation rule. 


Creating an alerting rule for incidents 


While saving a correlation rule, the Correlation rule wizard gives you an option to create 
alerts for the incidents created for a correlation rule. 
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When you choose the option to create a rule, FIM opens the Alert Rule wizard to help you 
configure the alert rule. The new alert rule name and description will be the same as the 
correlation rule name and description from which the alert rule is created. The search 


query for the alert rule will default to Incidents and a query is created with incident status 
open or closed and correlation rule ID. 


Note: The option to create an alerting rule is available only when you create a new 
correlation rule. 


Managing correlation rules 


The Correlations Rules tab lists all the correlation rules. The page shows details such as 
the name of the rule, rule id, whether the rule is currently active or deactivated, reviewer 
of the incident. The page also shows approval status, change type and disposition category 
values for approval type selected as Manual for incidents when creating/editing the rule. 
The Quick Actions menu on the page provides you options to view, edit, delete, 
activate/deactivate a rule and view the incidents of a rule. 


tae cono co cee al 


Incidents 


19 rules 


1-190f 19 


Deletion of Log File(s) 
2019100e-3008-4084-9713-89268e 0191 


ACTIVATED fmac2 5 
Deletion of Log File(s) | ACTIVATED. macz 
0-9942.087f30055023 


Unauthorized Windows Update Activity 


ACTIVATED fmacd Approved Manual Pro-Approved Change Control 
914 19afe-5d20-41 16-b252-beSdAfécd48e 


Deletion of Log File(s) 
45bd-890d 1042 


ACTIVATED. maca 


Show incidents 


Deactivate ACTIVATED fmec2 


Managing incidents 


All the incidents generated for a correlation rule are listed in the All Incidents tab with 
type as "Automated". Note that you can not delete incidents that are generated for a 
correlation rule. Activate/deactivate option will be available for correlation rule that has a 
recurring schedule. 


File Integrity Monitoring DASHBOARD EVENTS RESPONSES REPORTS ASSETS CONFIGURATION 20% 
Incidents | ancients | Correlation Rules 
Q search for incidents... = 
37 Assigned to me Pending 
Total Incidents 37 19 
STATUS 1-37 of 37 
OPEN 19 
CLOSED 15 
REOPENED 2 S 
, Bhours ago reoccuringAfterRevoke-20201102-074242 quays_sb1 Pre-approved Chang.. Compromise Policy Violation 
APPROVAL STATUS 1:12:42 PM Approval Type: Automated 
APPROVED g a 
ies : Bours 299 OnetimeJobAtterRevoke-20201102-072721 quays_sb1 
O 2:57:21 PM Approval Type: Manual 
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Reviewing incidents 


An incident generated for a correlation rule is available for manual review after a grace 
period of 10 minutes from the scheduled end time of the rule. The “Start Review” option 
on the Quick Actions menu will be available for the incident after the grace period ends. 


Creating and tracking incidents 


You'll want to review the events detected on your assets and group related changes into 
incidents. Review your incidents to determine if they're valid, mark them approved or 
unapproved and classify them by the type of change. 


You also have an option to create incidents based on certain criteria defined in a 
correlation rule. See “Creating a correlation rule using correlation rule wizard. 
Creating incidents from the Event tab 


On the Event Review tab, run a query to find related events, click Create Incident and give 
your incident a name. Your new incident will be saved on the Incidents list where you can 
view and add details. All events matching your query will be included. 


Note: The Create Incident option is enabled only after you enter a valid QQL query in the 
search bar. 


Events 


actor.process:”InstallAgent.exe” 


15 


Total Events 


14Feb 16Feb  1BFeb 20feb 22Feb 24Feb 26Feb 28fFeb 2 Mar 4 Mar 


EVENT ACTION 
Content 


Attributes 
Create 


2.03 


11 days ago El  Report.wer 
10:44:38 PM \Device\HarddiskVolume2\ProgramData\Microsoft\W. 


Delete 


USER 11 days ago E) Report.wer 


DESKTOP-KI3HO. 11 10:44:38 PM \Device\HarddiskVolume2\ProgramData\Microsoft\W. 
DESKTOP-KIZHO 4 


The Incidents list is where you'll take actions on your incidents. View details for any 
incident to get a break-down of the events by severity, action and user. Edit any incident to 
rename it or change the events associated with it by modifying the query or timeframe. 
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Note: After creating an incident manually, Events are marked to the incident after 24 
hours. 


File Integrity Monitoring + DASHBOARD EVENTS RESPONSES REPORTS ASSETS CONFIGURATION 20% 


Incidents All Incidents MATAS 


Q Search for incidents... ) 4e... 


Assigned to me Pending 
45 39 


45 


Total Incidents 


OPEN 39 


D fi STATUS ASSIGNEE OSMO A! APPROV 

TET A CREATED NAME TYPE TATU ASSIGNEE DISPOSITION CHANGE TYPE PPROVAL 
Jul10,2019 My Rule-20190710-093000 ~~» AUTOMATED CLOSED quays_pp15 PATCHING AUTOMATED APPROVED 5 

APPROVAL STATUS 3:00:00 PM — 

APPROVED 5 5 

POLICY_VIOLATI... 1 pentane QCumber-Generated_Incide... DEFAULT OPEN quays_pp15 


Creating incidents from the Incident tab 


To create manual Incident, click Incidents > All Incidents > Create Incident. 


File Integrity Monitoring + DASHBOARD EVENTS RESPONSES REPORTS ASSETS CONFIGURATION 


Incidents Correlation Rules 


Q search for incidents... 


37 


Assigned to me Pending 
Total Incidents 


37 19 


1-37 of 37 


< Create Incident 


Create Incident 


Incident Name * 


Test 


Assignee Name quays hs 
Query * 


X platform:‘windows* and actor.userName:*1511-TEST-197-7\Administrat 


Saved Searches | Queries 


Start Date 


09/05/2020 


End Date 
10/05/2020 


Caneel [Prev 


Note: In Query field, to add a folder path for file fullPath and actor.imagePath QQL, user 
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should avoid using “M” at the end of the path as it results in invalid QQL while searching. 
On the Create Incident page, add the following details: 
-- Incident Name: The name of the Incident. 


-- Query: Enter your QQL search query to find events. You can also select the required QQL 
query from the Saved Searches or Queries option. 


-- Enter Start Date and Start Time and End Date and End Time: The duration for which you 
want to capture the events based on the QQL query. 


Note: The End Date and Time should always be before or equal to the date and time you 
are creating the incident. 


Click on the Preview option to see the total number of events that are generated based on 
your query. Click Close after you have reviewed the details. 


Note: You can create an incident only if there are events matching to your QQL query. 


Test Preview 


Click Create. The new incident is listed on the Incidents tab for a manual review. 


Reviewing incidents and taking action 


Choose Start Review to review the events associated with an incident and then mark the 
incident Approved or Unapproved. You'll also classify the events by disposition category 
(e.g. Pre-Approved by Change Control, Patching, Data Corruption, Human Error, etc.) and 
indicate the type of change (e.g. Manual, Automated, etc.) 
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ew 


File Integrity Monitoring ~ DASHBOARD EVENTS INCIDENTS RESPONSES REPORTS ASSETS CONFIGURATION 


Incidents All Incidents MTS 


Q Search for incidents... 


9 


Assigned to me Pending 
Total Incidents 
9 5 

OPEN 5 
CLOSED 3 CREATED NAME TPE STATUS DISPOSITION CHANGE TYPE APPROVAL STATUS 
REOPENED 1 

Dee 5,2019 Token regre-20191205-053500 AUTOMATED OPEN 

11:05:00 AM Approval Type: Manual Quick Actions — v 
APPROVAL STATUS + 
APPROVED 2 Dec 5,2019 Token Auto regree-20191205-053500 View Details AUTOMATED CLOSED fm_ac2 Patching Manual Approved 
POLICY VIOLAT!.. 1 11:05:00 AM Approval Type: Automated 

Nov 22,2019 file fullpath incident DEFAULT OPEN fm_ac2 
pac 3:51:52 PM Approval Type: Manual 
AUTOMATED 1 "| 
MANUAL 1 Nov 8, 2019 Auto rule one time 1-20191108-063000 Generate Report | AUTOMATED OPEN fm_ac2 
OTHER 1 12:00:00 PM Approval Type: Automated È 


Generating reports for incidents 


Select an incident and click “Generate Report” from the Quick Actions menu. Select 
PDF/HTML format and click Download. 


File Integrity Monitoring + DASHBOARD EVENTS INCIDENTS RESPONSES REPORTS ASSETS CONFIGURATION zo 


Incidents All incidents METAS 


Q Search for incidents... 


9 


Assigned to me Pending 
Total incidents 
9 5 

STATUS 1-90f 9 
OPEN 5 
CLOSED 3 CREATED NAME TYPE STATUS ASSIGNEE DISPOSITION CHANGE TYPE APPROVAL STATUS 
REOPENED 1 

Feb 19, 2020 lastboot-20200416-102313 B DEFAULT REOPENED fm_ac2 = 

10:09:24 AM Approval Type: Manual Quick Actions w 
APPROVAL STATUS 2 l 
APPROVED 2 Dec 5,2019 Token regre-20191205-053500 View Details AUTOMATED OPEN fm_ac2 
POLICY_VIOLATL... i 11:05:00 AM Approval Type: Manual 

Edit 

Dee 5, 2019 Token Auto regree-20191205-053500 4 AUTOMATED CLOSED fm_acz Patching Manual Approved 
MEE 11:05:00 AM Approval Type: Automated TOR 
AUTOMATED 1 - 
MANUAL 1 Nov 22, 2019 file fullpath incident DEFAULT OPEN fm_ac2 
OTHER ni 3:51:52 PM Approval Type: Manual 

Nov 8,2019 Auto rule one time 1-20191108-063000 bles AUTOMATED OPEN fm_ac2 

12:00:00 PM Approval Type: Automated 


The report is created for the incident and placed in the Reports tab. Go to the Reports tab 
and download the report. You can download report only if the status of the report is 
completed. 


File Integrity Monitoring + DASHBOARD EVENTS INCIDENTS RESPONSES. ASSETS CONFIGURATION 


Reports 


Contains text search. 3 repons 


1-30f 3 


DATE REPORT TITLE FORMAT STATUS 


Feb 20,2020 chmod Completed 
9:40:15 AM Quick Actions Y 


Jul 3,2020 severity-20200416-100748 Completed 
6:31:08 PM 


Jul 3, 2020 Token Auto regree-20191205-053500 Completed 
6:32:58 PM 
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Report status 


When you submit a request for generating a report, FIM assigns the following status to the 
report which you can see in the Report tab during different stages of its processing: 


- Accepted: The request for generating the report is accepted. 

- Processing: The report generation is in progress. 

- Completed: The report is generated and is available for download. 
- Failed: Report generation process failed due to some reason. 


Note: If the report is in the “Failed” state or is stuck in a particular state (except Completed 


state) for a long time, you can run the report again using the "Run Again" options from the 
Quick Actions menu. 


Re-running a report 


Click the Run Again option under the Quick Actions menu to generate a new report with 
the same name but updated data, date, and time. 


The Run Again option is not available if the incident for which the report is generated is 
deleted. 


Note: You cannot rerun reports that have special characters in their name. 


| File Integrity Monitoring DASHBOARD EVENTS INCIDENTS RESPONSES REPORTS ASSETS CONFIGURATION 20m 


4 Reports 


1-40f 4 


report download testing 


pdf Completed 


4 hours ago report download testing - pdf Completed 
2:17:41 PM Quick Actions 


8 hours ago incio2 Download html Accepted 
10:43:16 AM 


8 hours ago oracle_22 


10:43:10 AM Run Again 


Reopening closed incidents 


You have an option to reopen a closed incident to modify the incident's review 
information. When you reopen an incident, all the review information in the incident such 
as disposition, change type, approval and other information is set to blank. You can then 
review the reopened incident, provide review comments and mark it Closed. 
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To reopen an incident, click Reopen from the Quick Actions menu. 


File Integrity Monitoring DASHBOARD EVENTS INCIDENTS RESPONSES REPORTS ASSETS CONFIGURATION 


Incidents All Incidents METAS 


Q Search for incidents... 
3 Assigned to me Pending 
Total Incidents 
bs 37 19 
STATUS Create Inci 1-37 of 37 
OPEN 19 
REOPENED 3 
9 hours ago reoccuringAfterRevoke-20201102-074242 AUTOMATED CLOSED quays_sb1 Pre-Approved Chang... Compromise Policy Violation 
APPROVAL STATUS TE pe ee Quick Actions v 
APPROVED 8 
UNAPPROVED 5 9 hours ago OnetimeJobAfterRevoke-20201102-072721 View Details AUTOMATED OPEN quays_sb1 
POLICY_VIOLATI 2 12:57:21 PM Approval Type: Manual 
Reopen 
4days ago imagePath-20201029-102257 AUTOMATED OPEN quays_sb1 
CHANGE TYPE 3:52:57 PM Approval Type: Manual 
MANUAL! j Generate Report 
AUTOMATED 5 4days ago rule-20201029-075543 AUTOMATED OPEN quays_sb1 
a A 1:25:43 PM Approval Type: Manual 


Enter the comments and click Yes. 
Reopen Incident 


Comment * 


To review comments| 


2481/2500 characters remainin 


Are you sure you want to reopen this cien MANE) No 


Rule-based alerts for events and incidents 


You can configure FIM to monitor critical events/incidents based on the conditions 
specified in a rule and send you alert messages by a specified messaging system if 
events/incidents matching the condition is found. The alert message will have the 
events/incidents details. For FIM to send alerts, you need to first configure a rule action to 
specify what action to be taken when events matching a condition is found. FIM will use 
the rule action settings to send you the alerts. 


Finally, create an alert rule to specify the conditions for triggering the rule and select rule 
actions that you have configured earlier for sending the alert message when a rule is 
triggered. 


Downloading results 


By downloading search results to your local system you can easily manage file change 
events, incidents and assets outside of the Qualys platform and share them with other 
users. You can export results in multiple formats (CSV, XML, PDF, DOC, HTML, etc). 
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Just click the Download icon above any list, choose a format and click Download. 


Click here to 
download 


a 
1-120f 12 © 
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Responses 


A Manager user or an equivalent role has the required permissions to carry out the user 
actions available under the Responses tab. 


Note: If a user is assigned a role with no alerting access permission, the user cannot see 
the Responses tab. 


Managing actions 


View the newly created actions in the Actions tab with the details such as name of the 
action, type of the action, the number of rules for which this action is chosen are active or 
inactive and the user who created the rule. You can use the Actions menu or Quick 
Actions menu to view, edit, delete actions and save an existing action along with its 
configuration to create a new action with a new name. Use the search bar to search for 
actions using the search tokens. Note that you can delete an action only if it is not 
associated with any active or disabled rules. 


Responses DN EA cuca Actions 
Q Search for actions... = 1 Action 
F Act gemail 2 0 April 2, 2020 4:38 PM 


asd Quick Actions Vv 


View 


Edit 


Save As 


Creating a new action 


Create a new action to define a mode of communication such as Email, PagerDuty or Post 
to Slack to be used for sending alert messages. To create an action, go to Responses > 
Actions and then click New Action. 


| File Integrity Monitoring y DASHBOARD EVENTS INCIDENTS REPORTS ASSETS CONFIGURATION 


Provide required details in the respective sections to create a new action: 
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- In the Basic Information section, provide name and description of the action in the 
Action name and Description fields respectively. 


- Select an action from the Select Action drop-down and provide the settings for 
configuring the messaging system that FIM will use to send alerts. 


- We support these three actions: Send Email (Via Qualys)/Send Email (Your SMTP), Post to 
Slack and Send to Pager Duty for alerts. 


a) Select "Send Email (Via Qualys)"/"Send Email (Your SMTP)" to receive email alerts. 
Specify the recipients' email ID who will receive the alerts, subject of the alert message 
and the customized alert message. Note that based on the configuration settings you will 
see either of the two options. 


b) Select “Send to PagerDuty” to send alerts to your PagerDuty account. Provide the service 
key that FIM will require to connect to your PagerDuty account. In Default Message 
Settings, specify the subject and the customized alert message. 


c) Select “Post to Slack” to post alert messages to your Slack account. Provide the Webhook 
URI that FIM will use to connect to your slack account to post alert messages.In Default 
Message Settings, specify the subject of the alert message and the customized alert 
message. 
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Action Name * 


< Create New: Action 


Event Action 


Description * 


Will take action on all events. 


Select Action * 


Send Email(Via Qualys) 


Default Message Settings 
You can add default recipients or edit the default message to be sent 


Recipients * 


jdoe@qualys.com 


Subject Line * 


Events Actions 


Message * 


This email will list all the event actions. 


43/5000 


Creating a new alert rule 


You can create a new rule from the following pages: 


4 


1) Go to Responses > Rule Manager and click New Rule. 
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File Integrity Monitoring v DASHBOARD EVENTS INCIDENTS 


CONFIGURATION 20% 
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2) Go to the Dashboard tab and choose a widget that is using a customized query for 
fetching the widget data. Then select the Widget menu and choose “Create Rule from this 
Widget” to create alert rules based on the customized query that you used for creating the 
widget. 


Note that a search query is required in the "Query for the data in the widget" field to create 
a rule from a widget. 


3) Go to the Events > All Events tab or Events > Event Review tab. Enter a search query in 
the search box and press Enter. Click = menu button next to search box and select 
“Create Alert Rule from Search Query”. When you create an alert rule, the search query 
provided on the page is copied to the new rule. 


4) Go to Incidents. Enter a search query in the search box and press Enter. Click = menu 
button next to search box and select “Create Alert Rule from Search Query”. When you 
create an alert rule, the search query provided on the page is copied to the new rule. 


Note: After you upgrade the Cloud Agent to 4.1 and above, the File Path is displayed as 
(c:\directory\sub-directory\file.ext). If all the agents in your subscription are not upgraded 
to 4.1 and above, edit the existing QQL queries to add the new File Path format along with 
the old one. 


Provide required details in the respective sections to create a new rule: 


- In the Rule Information section, provide a name and description of the new rule in the 
Rule Name and Description. 


- In the Rule Query section, choose Events or Incidents and specify a query for the rule. 
The system uses this query to search for events/incidents. Use the Test Query button to 
test your query. Click the "Sample Queries" link to select from predefined queries. 


- In the Trigger Criteria section, choose from three trigger criteria that work in conjunction 
with the rule query. The trigger criteria are: Single Match, Time-Window Count Match and 
Time-Window Scheduled Match. See Trigger Criteria. 
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- In the Action Settings section, choose the actions that you want the system to perform 
when an alert is triggered. 


< Create New: Rule 


Rule Details 


Provide the following information to create the rule 


Rule Information 


Rule Name * 


My Rule 


Description + 


This rule will monitor all log files. 


Rule Query 
Provide a query to match particular source that will trigger the alert 


Rule Query * 


Events v Q Begin typing your query... 


Sample Queries 


Trigger Criteria 
Provide the match criteria 
Trigger Criteria * 
Single Match "| 


Action Settings 
Choose an appropriate alert action 


Actions * 


Email Action 
Pagerduty Action 


Slack Action 


Cancel 


Selecting a trigger criteria 


- Select "Single Match" if you want the system to generate an alert each time the system 
detects an event/incident matching your search query. 
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- Select “Time-Window Count Match" when you want to generate alerts based on the 
number of events/incidents returned by the search query in a fixed time interval. For 
example, an alert will be sent when three matching events are found within 15 minutes 
window. 


Trigger Criteria 
Provide the match criteria 
Trigger Criteria * 


Time-Window Count Match 


Time-Window Count Match 


No Of Matching Events * In* 


3 15 Mins 
Aggregate Alerts Aggregate Group 
Yes Action 


- Select Time-Window Scheduled Match when you want to generate alerts for matching 
events or incidents found during a scheduled time. The rule will be triggered only when an 
event/incident matching your search criteria is found during the time specified in the 
schedule. Choose a date and time range for creating a schedule and specify how often you 
want to run the schedule for example, daily, weekly and monthly. For example, send daily 
alerts with all matches in a scheduled window between 4.56 pm and 5.56 pm. 


Trigger Criteria + 


Time-Window Scheduled Match 


Time-Window Schedule Match 

Time Window Starts on Start Time 
07/13/2020 iz 7:48pm 

Time Window Ends On End Time 
07/13/2020 Ea] 8:48pm 

Duration 

Repeats 
Daily 


Summary: Repeats everyday from 07:48 pm to 08:48 pm (1 Hour) 


Aggregate Alerts Aggregate Group 


Yes Action 
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For the Weekly option, select the days of the week on which the rule will run. For example, 
send weekly alerts with all matches generated between 4.56 pm and 5.56 pm every 
Monday and Wednesday. 


< Create New: Rule 


Repeats 
Weekly 


On Day Of The Week 


S MIM T [yw T F Ss 


Summary: Repeats monday from 04:56 pm to 05:56 pm (1.00 hours) 


For the Monthly option, specify the day of the month on which the rule will run. For 
example, send monthly alerts on the first day of every month. 


< Create New: Rule 


Repeats 


Monthly 


Recurring Day 


ias 


Summary: Repeats every 1st day of the month from 04:56 pm to 05:56 pm (1.00 hours) 


Aggregate Alerts Aggregate Group 


Yes Action 


For “Select Time-Window Count Match” and “Select Time-Window Scheduled Match”, you 
have the option to aggregate the alerts by aggregate groups such as based on action, asset 
host name and so on. When you choose an aggregate alert option as "Yes" for a rule, FIM 
combines all the alerts generated during a schedule under a selected aggregate group and 
when the schedule ends, FIM sends a single alert message that contains all the alerts. If 
you select aggregate alerts option as “No”, then FIM sends you an alert message for each 
alert generated between the start and end of a specified schedule. 


Configuring action settings 


Choose the action that you want the system to perform when an alert is triggered. You can 
choose one of the following actions: Send Email (Via Qualys),Post to Slack,and Send to 
Pager Duty. 


Note that these actions must be configured before creating the Rule. For more information 
on actions, see Creating a new action. 


For example, you select the action Send Email (Via Qualys). Add the following information 
in the mail section to get all the relevant information in the email. 


-Recipient: Specify the recipients’ email ID who will receive the alert email. 
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-Subject: Subject of the alert message. E.g: "Unauthorized Modification of Critical 
Authentication files on Linux System". 


- Message: You can customize the alert message. Click on the arrow next to Insert Token 
and add all the relevant tokens. 


Ensure you add all the relevant information and tokens in the Message section to get all 
the crucial details of the alert in the notification. 


Email Notification Received 


Recipient* 


jdoe@qualys.com 
Unauthorized Modification of Critical Authentication files on Linux System 


Subject * 


Unauthorized Modification of Critical Authentication files on Linux System 


noreply @qualys.com 
Message * « 
se O Tue 3/17/2020 5:03 PM a9 


Insert token ¥ hn De 


You are receiving this email as some critical authentication files in your system have been You are receiving this email as some critical authentication files in your system have been compromised. 
compromised. Please refer the following details: 
Please refer the following details: 
™ System name: qadev1 
Process involved: vim 
User involved: bob 


System namo: S{asset name} 
Process involved: ${actor process} 
User involved: $factoruserName} 


Encrypted file: $file name} 
Absolute file path: Sffile fullPath} 


Encrypted file: .passwd.swp 
Absolute file path: /etc/.passwd.swp 


Managing alert rules 


Rule Manager tab lists all the rules that you have created with rule name, trigger criteria 
selected for the rule, alert message aggregating enabled or disabled for the rule, action 
chosen for the rule, date and time when the rule is last triggered and state of the rule, 
whether the rule is enabled or disabled and created date and time of the rule. You can use 
the Quick Actions menu to View, Edit, Enable, Disable, Save As, Delete, Show Activity for 
an existing rule along with its configuration to create a new rule with a new name. Use the 
search bar to search for rules using the search tokens. 


Note that Last Triggered value for a rule is shown after the rule is triggered. 


File Integrity Monitoring DASHBOARD EVENTS INCIDENTS RESPONSES REPORTS ASSETS CONFIGURATION 20: 


Responses Activit Rule Manager NS 


Quick Actions V 


Q Search for rules... View = 2 Rules 
Edit 
= Actions (1) v | newn 1-20f 2 
Disable 
Save As 
rule-10 Single Match - Act May 22, 2020 Enabled May 11, 2020 2:48 PM 
test 3:15 PM 
A «sdf Show Activity Single Match = Act Enabled April 2, 2020 4:39 PM 
z sdf 
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Managing alerts 


Activity tab lists all the alerts. Here you will see for each alert, rule name, alert status to 
indicate whether sending of the alert is success, error or retrying (if the attempt to send 
the alert is not success), aggregate enabled (Yes) or aggregate disabled (No) for the rule, 
action chosen for the rule, matches found for the rule and the user who created the rule. 


Search for alerts using our search tokens (1), select a period to view the rules triggered 
during that time frame (2), click any bar to jump to the alerts triggered in a certain 
timeframe (3), use these filters to group the alerts by rule name, action name, email 
recipients and status (4). 


File Integrity Monitoring v DASHBOARD EVENTS INCIDENTS RESPONSES REPORTS ASSETS CONFIGURATION 2 0 
Rule Manager Actions 
S [ 0 Last 30 Days Y 
12.5K o 
Total Activities J 
Bnn = A eae ee 
1 Jun 3 Jun SJun 7 Jun 9 Jun 11 Jun 13 Jun 15 Jun 17 Jun 19 Jun 21 Jun 23 Jun 25 Jun 27 Jun 29 Jun 1 Jul 3 Jul 
RULE NAME A 1-50 of 12495 
Testing FIMUI-16..  5.40K | 
Testing for speci... 2.69K | 
aggagaaaqaa dA 924 Desc: Testing for special chars A 5 
Test rule from Da... 854 
Rule to test Page... 800 Testing for special chars ‘Success Yes Testing for Special char 1 Sonali Bhagwat 
17 more Desc: Testing for special chars oa 
ACTION NAME Testing for special chars “Success Yes Testing for Special char 1 Sonali Bhagwat 
Emall Action 5.42K Desc: Testing for special chars MESE 
Sonali Test Action 3.11K 
Testing for Speci..  2.69K Testing for special chars Success Yes Testing for Special char 1 Sonali Bhagwat 
With name = API 400 Desc: Testing for special chars dardo 
PagerDuty Test A... 400 
eens | Testing for special chars ‘Success Yes Testing for Special char 1 Sonali Bhagwat 
[| Desc: Testing for special chars a 
EMAIL RECIPIENTS a . 
Testing for special chars A Yes Testing for Special char 1 Sonali Bhagwat 
sbhagwatQqualy 11.2K 
Desc: Testing for special chars 
inair@aualve naom 5 AIK 4 days ago 
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Dynamic Dashboards 
Global dashboards permissions 


Dynamic Dashboards 


You can create multiple dashboards and switch between them. Each dashboard has a 
collection of widgets showing event data of interest. And your dashboards/widgets are 
updated in real-time. 


We have integrated Unified Dashboard (UD) with FIM. UD brings information from all 
Qualys applications into a single place for visualization. UD provides a powerful new 
dashboarding framework along with platform service that will be consumed and used by 
all other products to enhance the existing dashboard capabilities. 


You can use the default FIM dashboard provided by Qualys or easily configure widgets to 
pull information from other modules/applications and add them to your dashboard. You 
can also add as many dashboards as you like to customize your application view. 


For information on creating widgets, dashboards, templates, and more, refer to the Unified 
Dashboard Online Help. 


Global dashboards permissions 


Your access to Unified Dashboard depends on the global permissions granted to you from 
the Admin utility. Refer to the Online Help in the Admin utility for information on Global 
Dashboard Permissions. 


Note: When you assign the Global Dashboard permissions to a role, the Global Dashboard 
permissions override the module-specific dashboard permissions. As a result, the module- 
specific dashboard permissions are ignored. 


FIM dashboards 


FIM defines some pre-defined dashboards for the users, to ease the access of defining the 
templates and adding the widgets. 


The five default MITRE and Solar winds dashboards are introduced that have widgets with 
specific QQL's for certain types of events. 


Note: Initially, if the user does not have any related events, the dashboard widgets may 
appear blank. 


These dashboards are specific to FIM and include default template specific to the user and 
also the widgets that user might require. 


Following are the specific dashboards defined in FIM: 
- QFIM LINUX MITRE ATT&CK 
- QFIM LINUX NIST SPECIAL PUBLICATION 
- QFIM WINDOWS MITRE ATT&CK 
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Dynamic Dashboards 
Switching dashboards 


- QFIM WINDOWS NIST SPECIAL PUBLICATION 
- SolarWinds Supply-Chain Attack 


These dashboards are defined for both Linux and Windows users. 


Switching dashboards 
Click the down arrow next to the dashboard name and pick the one you want. 


File Integrity Monitoring DASHBOARD £ 


My Custom Dashboard v 


è Last 30 Days Y 


TOTAL CHANGES 


Adding widgets 
1) Start by clicking the Add Widget icon on your dashboard. 


CONFIGURATION 


2) Pick one of our widget templates - there are many to choose from - or create your own. 


3) Each widget is unique. For some you'll select event data, a query and layout - count, 
table, bar graph, pie chart. 


Tip - Wondering how we created the widgets on the default dashboard? Choose Edit from 
the widget menu to see the settings. 
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Dynamic Dashboards 
Resizing and layout 


Resizing and layout 
Resize any widget horizontally, drag & drop widgets to change the layout. 
1) Click the Tools icon on your dashboard. 


ONFIGURATION 


Set as Default Dashboard 
Edit Dashboard a 


Edit Dashboard Layout 


Create New Dashboard 


Create Template from this Dashboard 
Delete Dashboard 


Print Dashboard 


Export this Dashboard 


Import New Dashboard 


Import New Widget X 


3) Adjust the width for any widget or drag the widget to a new location. 
4) Click OK to save your changes. 


Refreshing your view 


You might want to see the latest data for a particular widget. 
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Dynamic Dashboards 
Creating dashboards and templates 


Hover over the widget, click [E] and from the widget menu choose Refresh. 


FILE CHANGES BY CHANGE ACTION El 


Delete 
Refresh 


Create Template from this Widget 


Export this Widget 


Edit Uashboard 


Edit Dashboard Layout 


Create New Dashboard 


Create Template from this Dashboard 
Delete Dashboard 
Print Dashboard 


Export this Dashboard 
Import New Dashboard 


Import New Widget 


Refresh Dashboard 


Creating dashboards and templates 


From the Tools menu you can choose to create a new dashboard from scratch or create a 
template for your subscription from the current dashboard. 


Set as Default Dashboard 


Edit Dashboard a 
Edit Dashboard Layout 


Create New Dashboard 
Create Template from this Dashboard 
Delete Dashboard 


Print Dashboard 
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Dynamic Dashboards 
Importing and exporting dashboards 


Importing and exporting dashboards 


You can import and export dashboards with corresponding widgets, and import widgets. 


Set as Default Dashboard 
Edit Dashboard 


Edit Dashboard Layout 


Create New Dashboard 


Create Template from this Dashboard 
Delete Dashboard 
Print Dashboard 


Export this Dashboard 


Import New Dashboard 


Import New Widget 
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Reports 
Creating Reports 


Reports 


Compliance reports offer detailed accounts of an organization's progress on particular 
compliance initiatives; and if taken collectively, can provide a broad summary of your 
organization's compliance efforts. 


Creating reports on the events that occur as a result of any kind of action in your file 
system is important as the reports enable you to visualize the collected data. You can 
better analyze trends in events detected, generate graphical reports, and create executive 
reports that provide an in-depth insight into your network's file integrity. 


FIM enables you to create on-demand reports or schedule your report generation at a 
future date and time. Specify your reporting criteria by leveraging QQL tokens and have 
access to the most accurate and up-to-date event and incident data in PDF, CSV, or HTML 
formats. 


You can search for reports by the report title in the Reports sub-tab. You can also email 
reports to specified users by using the Notification option that's available while creating a 
report. 


Note: The FIM reports are retained on the Qualys platform for seven days. It is 
recommended that you download your reports within seven days of generation for future 
reference and analysis. 


Creating Reports 


With FIM, you can create a variety of reports to gain insight into the events and incidents 
occurring in your file system. You can either leverage QQLs from Qualys Query Library or 
make use of the saved searches, or even enter your own custom queries, based on which 
change event data is filtered and included in the FIM reports. 


After a report is generated, you can download the report in PDF, CSV, or HTML format. 


Important: As per PCI DSS guidelines, event data is retained for 13 months on the Qualys 
platform. Hence, the on-demand reports can be generated for data collected in the past 
one year. Once generated, reports are purged from the Qualys platform after seven days 
from the day of generation. 
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